coilyco-flight-deck/cli-guard
1
0
Fork 0
Code Issues 12 Pull requests Projects Releases Packages Wiki Activity Actions

Rename profile_decision.coordinate.* to declared_* so the static-label semantics are self-evident #1

New issue
Open
opened 2026-05-23 20:53:51 +00:00 by coilysiren · 0 comments
coilysiren commented 2026-05-23 20:53:51 +00:00
Owner
Copy link

Originally filed by @coilysiren on 2026-05-20T21:16:37Z - https://github.com/coilysiren/cli-guard/issues/83

Symptom

audit.ProfileDecision.Coordinate (data_security, blast_radius, network_egress, filesystem_reach) serializes to JSON field names that read as runtime observations. The most common misread is coordinate.network_egress: "air-gapped" on a row whose wrapped process opened hundreds of outbound HTTPS connections. Both are technically correct - the profile labels the verb shape air-gapped, the process opened sockets anyway - but the field name does not carry its own caveat.

Context

Filed as the upstream half of coilysiren/coily#282. Coily already documents the static-vs-runtime distinction in docs/audit.md, but documentation only helps readers who already know to look. The field name should be self-documenting.

Possible shapes

  1. Rename the JSON keys in audit.Coordinate to declared_data_security, declared_blast_radius, declared_network_egress, declared_filesystem_reach. Go field names can stay; only the json: tags change.
  2. Rename the outer key from coordinate to declared_coordinate instead, leaving the inner axes alone. Smaller diff, same semantic effect.
  3. Add a sibling observed block populated by built-in network-aware verbs (matches today's egress[] already on the row, would deprecate the standalone egress[] shape).

Shape 2 is the cheapest move. Shape 1 reads more clearly per-field. Shape 3 is the most invasive but unifies the runtime surface.

Blast radius

JSON schema change. Consumers: coily itself (audit-row readers, finding-filer), any downstream that greps audit JSONL. No on-disk migration needed since the audit log is append-only - new rows carry the new key, old rows keep the old one. Readers need to handle both for the rotation window.

Pairs with

  • coily#282 - demand-side finding, closed by documentation.
  • agent-guard egress monitoring asymmetry between built-in verbs and repo.* exec verbs (separate finding).
_Originally filed by @coilysiren on 2026-05-20T21:16:37Z - [https://github.com/coilysiren/cli-guard/issues/83](https://github.com/coilysiren/cli-guard/issues/83)_ **Symptom** `audit.ProfileDecision.Coordinate` (`data_security`, `blast_radius`, `network_egress`, `filesystem_reach`) serializes to JSON field names that read as runtime observations. The most common misread is `coordinate.network_egress: "air-gapped"` on a row whose wrapped process opened hundreds of outbound HTTPS connections. Both are technically correct - the profile labels the verb shape `air-gapped`, the process opened sockets anyway - but the field name does not carry its own caveat. **Context** Filed as the upstream half of [coilysiren/coily#282](https://github.com/coilysiren/coily/issues/282). Coily already documents the static-vs-runtime distinction in [docs/audit.md](https://github.com/coilysiren/coily/blob/main/docs/audit.md), but documentation only helps readers who already know to look. The field name should be self-documenting. **Possible shapes** 1. Rename the JSON keys in `audit.Coordinate` to `declared_data_security`, `declared_blast_radius`, `declared_network_egress`, `declared_filesystem_reach`. Go field names can stay; only the `json:` tags change. 2. Rename the outer key from `coordinate` to `declared_coordinate` instead, leaving the inner axes alone. Smaller diff, same semantic effect. 3. Add a sibling `observed` block populated by built-in network-aware verbs (matches today's `egress[]` already on the row, would deprecate the standalone `egress[]` shape). Shape 2 is the cheapest move. Shape 1 reads more clearly per-field. Shape 3 is the most invasive but unifies the runtime surface. **Blast radius** JSON schema change. Consumers: coily itself (audit-row readers, finding-filer), any downstream that greps audit JSONL. No on-disk migration needed since the audit log is append-only - new rows carry the new key, old rows keep the old one. Readers need to handle both for the rotation window. **Pairs with** - coily#282 - demand-side finding, closed by documentation. - agent-guard egress monitoring asymmetry between built-in verbs and `repo.*` exec verbs (separate finding).
coilysiren added
P4
 and removed
P3
 labels 2026-05-31 07:00:17 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
v0.1.0
Labels
Clear labels
  
P0
now / blocking / urgent

  
P1
next / important

  
P2
backlog / will do

  
P3
someday / low

  
P4
icebox / frozen / reopen if it becomes real

No labels
P0
P1
P2
P3
P4
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-flight-deck/cli-guard#1
No description provided.